ClawHub
Back to skill

Security audit

huawei-cloud-dws-cpu-diag

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs read-only DWS CPU diagnostics, but its installation references introduce unrelated OBS tooling and risky credential-handling steps that users should review carefully.

Install only if you actually need Huawei Cloud DWS CPU diagnostics and can provide narrowly scoped read-only DWS permissions. Review the referenced setup docs before use: the OBS/obsutil steps appear unrelated and should not be followed unless you independently need OBS tooling. Avoid putting AK/SK secrets directly on command lines, and treat generated HTML reports as sensitive operational data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill explicitly instructs the agent to write an HTML report into the workspace, which is a side effect beyond merely analyzing metrics and returning a diagnosis. While the file content appears diagnostic rather than destructive, silent filesystem writes can surprise users, leave residual sensitive operational data on disk, and expand the skill's effective privileges.

Intent-Code Divergence

Low
Confidence
85% confidence
Finding
The documentation says output only contains the diagnosis report, but later adds a hidden persistence action by saving the report locally. This inconsistency is dangerous because it obscures a side effect from users and reviewers, making it harder to assess where potentially sensitive cluster diagnostics will be stored.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file is materially inconsistent with the declared skill purpose: it presents an OBS Object Storage Statistics installation guide inside a DWS CPU diagnosis skill. This kind of scope mismatch is dangerous because it can induce users or downstream agents to install unrelated tooling and configure unnecessary cloud credentials, expanding the attack surface and enabling unintended data access.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The guide instructs users to install and authenticate OBS tooling (`obsutil`) and test bucket access even though the stated skill is for DWS CPU diagnosis. In this context, collecting or prompting for storage credentials and bucket-listing capability is over-privileged and can lead to unnecessary exposure of AK/SK, unauthorized object storage access, or accidental execution of unrelated cloud operations.

Missing User Warnings

Low
Confidence
91% confidence
Finding
Saving an HTML file to the workspace without a clear user-facing warning creates an undisclosed local side effect. Even if the content is legitimate, diagnostic reports may include cluster identifiers, hostnames, usernames, SQL text, and timing details that become unnecessarily persisted and available to later processes or users on the same system.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The `obsutil config -ak=<AK> -sk=<SK> ...` example places long-lived credentials directly on the command line without a nearby warning. Command-line secrets are commonly exposed via shell history, process listings, audit logs, or terminal recording, creating a straightforward path to credential compromise.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide explicitly instructs users to place AK/SK in plaintext in `conf/dws_config.yaml` and notes they are only auto-encrypted later on startup. That creates a real exposure window where secrets may be written to disk unprotected, captured in shell history or process listings when passed as CLI arguments, or accidentally committed to source control. In this skill context, the danger is higher because the tool is intended for operational diagnostics and likely runs with real cloud credentials that can access DWS resources.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal